security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FPs noticed with Aurora

Browse Source
This commit is contained in:
Florian Roth
2021-12-05 11:21:40 +01:00
parent a011df121f
commit cb4ee6fbee
5 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/sysmon_susp_python_image_load.yml
+6 -2
View File
@@ -3,7 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83
description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
status: experimental
date: 2020/05/03
modified: 2021/12/03
modified: 2021/12/05
author: Patrick St. John, OTR (Open Threat Research)
tags:
- attack.defense_evasion
@@ -18,7 +18,11 @@ detection:
selection:
Description: 'Python Core'
filter:
Image|contains: 'Python' # FPs with python38.dll, python.exe etc.
- Image|contains:
- 'Python' # FPs with python38.dll, python.exe etc.
- Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not filter
fields:
- Description
rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
+1 -1
View File
@@ -8,7 +8,7 @@ references:
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
date: 2019/10/27
modified: 2021/11/27
modified: 2021/12/05
logsource:
category: image_load
product: windows
rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
+3
View File
@@ -78,6 +78,9 @@ detection:
GrantedAccess:
- '0x40'
- '0x1010'
filter9:
SourceImage|endswith: '\explorer.exe'
GrantedAccess: '0x401'
filter_generic:
SourceImage|startswith:
- 'C:\Program Files\'
rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+1
View File
@@ -61,6 +61,7 @@ detection:
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Windows\Microsoft.NET\Framework'
- 'C:\WINDOWS\System32\DriverStore\'
- 'C:\Windows\System32\WindowsPowerShell\'
- SourceImage:
- 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- 'C:\WINDOWS\system32\taskhostw.exe'
rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml
+7 -2
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder
author: Florian Roth
date: 2021/11/27
modified: 2021/11/30
modified: 2021/12/05
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -56,7 +56,12 @@ detection:
- '\AppData\'
- '\Temporary'
filter1:
SourceImage: 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
SourceImage|contains|all:
- 'C:\Users\'
- '\AppData\Local\'
SourceImage|endswith:
- '\Microsoft VS Code\Code.exe'
- '\software_reporter_tool.exe'
GrantedAccess: '0x410'
condition: selection and not 1 of filter*
fields: